Restricting access to the file server file system

RBAC users create TrueSight Server Automation objects (scripts, packages, etc.) that are stored on the file server. To create these objects, these users need read and write permissions on the file server.

With the read and write permissions, RBAC users can perform the read and write operations on the file server and they might tamper with the files or accidently delete files on the file server. Therefore, access to the file server needs to be restricted.

When the file server access restrictions are enabled, access to the file server is segregated as follows: 

• Internal access: Required when the Application Server accesses the file server while creating, modifying, or deleting objects such as BLPackage and NSH script. 
• External access: Required when you access the file server such as through an NSH script or an extended object.

This segregation allows configuring the write access only when TrueSight Server Automation accesses the file server, and read only access when you access the file server explicitly.

When the file server access restrictions are enabled, the Application Server uses:

• Built-in System:System role:user for all Internal access, instead of the usual RBAC role:user, to communicate with the file server.
• Logged-in user’s RBAC role:user for all Explicit access to communicate with the file server.

Enabling or disabling the file server access restrictions

You can enable or disable the file server file system restrictions feature by enabling the BLASAdmin parameter, EnableFileServerAccessRestriction in the Appserver module. This parameter can have the following values:

• true: file server file system access restrictions are enabled.
• false: file server file system access restrictions are disabled.

For a fresh installation of TrueSight Server Automation the file server file system restrictions are enabled by default. In case of upgrade, the file server file system restrictions are not enabled by default.

 To enable file server access restrictions

1. Start the Application Server Administration console, as described in Starting-the-Application-Server-Administration-console.
2. Run the following command on the Application Server:
   set appserver EnableFileServerAccessRestriction true
3. Configure file server agent ACLs, as described in Configuring the file server agent ACLs.
4. Restart the Application Server service. In MAS environment, restart the Application Server service on all the nodes.

 To disable file server access restrictions

1. Start the Application Server Administration console, as described in Starting-the-Application-Server-Administration-console.
2. Run the following command on the Application Server to disable the access restrictions:
   set appserver EnableFileServerAccessRestriction false
3. Revert the changes you made on the file server while configuring the file server agent ACLs for enabling the file server access restrictions.  
   • Revert the changes that you made in the exports and users.local files.
   • Revert the ownership assigned to the blfsrw user on the storage folder.
4. Restart the Application Server service. In MAS environment, restart the Application Server service on all the nodes.

Granting write permission for explicit access

After file server file system access restrictions are enabled, If you need to create, modify or delete files on the file server through an NSH script, for some use cases, then you can explicitly configure write access to the respective RBAC role:user (for example BLAdmins:InfraAdmin), using the file server agent ACLs. Map the BLAdmins:InfraAdmin to the low privilege user (blfsrw) on the file server. To accomplish the mapping, add an entry like the following in the users.local file on the file server:

BLAdmins:InfraAdmin rw,map=blfsrw

For more information, see Configuring-the-file-server-agent-ACLs.